passwords with more that 8 letters

blueice

Verified User
Joined
Jan 18, 2004
Messages
191
Hi,
i have see that the directadmin login use only the first 8 characters of the password.
however this allow to put more that 8 characters in password change, allow to put more that 8 in the login however just dont count the characters after the first 8.
This is very unsecure, and i think that it is a small hole in the system, because the customer think that have difficult password with many characters but if the first 8 characters is simple then the customer have simple password and they not even know this.
I have enable the difficult password feature but why you not allow more characters in the passwords? Can you please add this feature?
Also i ask and for one more feature, when i have select the option difficult password with more that 8 characters and symbols the password generate feature (in emails mysqls account resets) can create passwords based in this rules.

thanks
 

dvnscr

Verified User
Joined
Jun 29, 2009
Messages
40
It is time to move on from 8 symbols passwords. As all know it takes 10minutes to crack one. While at least 11 symbols takes 2 years.
 

floyd

Verified User
Joined
Mar 29, 2005
Messages
5,330
I just tried changing my DirectAdmin admin password and verified that I do have to use all 11 characters to login. I cannot just use the first 8 characters. Again all 11 are required. Its a CentOS 32bit system.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
i have see that the directadmin login use only the first 8 characters of the password.
however this allow to put more that 8 characters in password change, allow to put more that 8 in the login however just dont count the characters after the first 8.
More likely this is a problem with your OS. What OS Distribution are you using?

Jeff
 

blueice

Verified User
Joined
Jan 18, 2004
Messages
191
More likely this is a problem with your OS. What OS Distribution are you using?

Jeff
I use debian. I have test bot h32 and 64bit.
If this happen then it is security hole in debian systems...
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
If it's a debian issue then you'll only need the first 8 characters of your password to log in through the shell.

Test and let us know.

Jeff
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,021
Hello,

DA itself will always try and set an MD5 password. However, some areas of DA, like setting the account password, DA uses system calls to set the passwords. DA has no control over the password format used here. It's generally set in the /etc/login.defs file.

I have a feeling this is a related guide for the issue:
http://help.directadmin.com/item.php?id=248

Make sure you're using MD5.. and not something like the old DES which has the 8 character limit.

Waaaay back, DA used to use DES for it's passwords which did have the 8 character limit (for all crypted passwords that DA generated)... like email accounts, ftp passwords, and system passwords for the cases where DA passes the crypt... this was the related change:
http://www.directadmin.com/features.php?id=513.
However, this change does not affect calls to system binaries where those binaries set the crypt. Again, that's specified in the /etc/login.defs file.
We've long since used the full MD5 format which has a far longer limit.

John
 

blueice

Verified User
Joined
Jan 18, 2004
Messages
191
If it's a debian issue then you'll only need the first 8 characters of your password to log in through the shell.

Test and let us know.

Jeff
yea right, i have put a 12 character password and i can login with only the first 8.
 

blueice

Verified User
Joined
Jan 18, 2004
Messages
191
Hello,

DA itself will always try and set an MD5 password. However, some areas of DA, like setting the account password, DA uses system calls to set the passwords. DA has no control over the password format used here. It's generally set in the /etc/login.defs file.

I have a feeling this is a related guide for the issue:
http://help.directadmin.com/item.php?id=248

Make sure you're using MD5.. and not something like the old DES which has the 8 character limit.

Waaaay back, DA used to use DES for it's passwords which did have the 8 character limit (for all crypted passwords that DA generated)... like email accounts, ftp passwords, and system passwords for the cases where DA passes the crypt... this was the related change:
http://www.directadmin.com/features.php?id=513.
However, this change does not affect calls to system binaries where those binaries set the crypt. Again, that's specified in the /etc/login.defs file.
We've long since used the full MD5 format which has a far longer limit.

John
Hi,
can you please put this change in installation script for debian?
The OS have some default settings but i hope this feature is very important so you can useit in installation script.
Also how about the compatibility of generating passwords (for email-mysql etc) with the difficult_password_script settings?
Without this compatibility it is very difficult to use more that 8 letters and symbols because the client confuzed of this.
Thanks
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,021
Hello,

1) What exactly did you change? (what were your default setting, and what did you change them to?). The mentioned guide is from SHA-512 to MD5.. so they're not the same, but the same idea is used .. just need to know what was in your login.defs before, such that we can add the changes to the installer.

2) I'm not too clear on your question about "compatibility" with the difficult password enforcement option. Can you clarify for me what things you're comparing that need to be compatible?

Note that if any admin has different ideas of what a password should be, they can change this script:
Code:
/usr/local/directadmin/scripts/difficult_password.php
using the standard template editing rules

John
 

blueice

Verified User
Joined
Jan 18, 2004
Messages
191
Hello,

1) What exactly did you change? (what were your default setting, and what did you change them to?). The mentioned guide is from SHA-512 to MD5.. so they're not the same, but the same idea is used .. just need to know what was in your login.defs before, such that we can add the changes to the installer.

2) I'm not too clear on your question about "compatibility" with the difficult password enforcement option. Can you clarify for me what things you're comparing that need to be compatible?

Note that if any admin has different ideas of what a password should be, they can change this script:
Code:
/usr/local/directadmin/scripts/difficult_password.php
using the standard template editing rules

John
Hi,
1. the /etc/login.defs before have:
Code:
#ENCRYPT_METHOD DES
have the # before so they not used.
No need just to add the line:
Code:
ENCRYPT_METHOD MD5
and everything is ok (remember to change the admin pass after this).

2. i explain because my English is bad:
I have select in difficult_password.php to have low letters, upper letters, numbers, special characters (like !@#) and at least 12 letters.
When a user try to create a email or mysql database and press the random button the auto generated password have only 8 characters and not symbols. It is very nice and real easy for the customer if the random button generate a password with the difficult_password rules.
Without this my most customers confused and it is not so easy to use the Random feature.
 

floyd

Verified User
Joined
Mar 29, 2005
Messages
5,330
I am going a little off topic here but hopefully will be quick.

In order to crack a password would you not need to have access to the encrypted password? In order to get to the encrypted password is not your system already compromised?
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Yes. Yes.

I had refrained from this sort of post because I do believe in longer complex passwords, but you're right.

Jeff
 
Top